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DETAILED ACTION 
Examiner's Amendment 

1. An examiner's amendment to the record appears below. Should the 
changes and/or additions be unacceptable to applicant, an amendment may be filed as 
provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

2. Authorization for this examiner's amendment was given in a telephone 
interview with Mr. Nathan T. Grebasch on September 28, 2007. During the telephone 
conference, Mr. Grebasch has agreed and authorized examiner to amend claims 8, 13, 
18-19, 22, 26, 35, 37, 46, and 47, wherein the independent claims 8, 19, 26, and 35 
now include the limitation of claims 17, 24, 30, and 36 respectively. Mr. Grebasch has 
also agreed and authorized examiner to add claims 47-49; and cancel claims 1-7, 17, 
20, 24, 28, 30-34, 36, and 40-44 without prejudice or disclaimer. 

CLAIMS: 

a. Please cancel claims 1-7, 17, 20, 24, 28, 30-34, 36 r and 40-44. 

b. Referring to claim 8: 

Please replace claim 8 as follows: 

One or more computer-readable media comprising computer- 
executable instructions that, when executed by a processor, direct a the processor to 
perform acts including: 

receiving a request to perform an operation; 

checking whether to access a business logic module in order to 
generate a result for the requested operation, wherein the business logic module 
contains problem-solving logic that produces solutions for a particular problem domain, 
and wherein the business logic module employs interaction-based definitions in which a 
component which performs an operation associated with the request is defined by a 
series of request-response interaction definitions that can be satisfied to perform the 
operation; 

obtaining, from the business logic module, a set of zero or more 
additional tests to be performed in order to generate the result; 



Application/Control Number: 09/847,037 
Art Unit: 2135 



Page 3 



performing each additional test in the set of tests if there is at least 
one test in the set of tests; 

checking a set of pluggable rules to determine the result of the 
requested operation; and 

returning, as the result, a failure indication if checking the business 
logic module or checking the set of pluggable rules indicates that the result is a failure, 
otherwise returning, as the result, a success indication, 

wherein the set of pluggable rules includes a plurality of permission 
assignment objects, wherein each of the permission assignment objects associates a 
user with a particular role, wherein each particular role is associated with one or more 
permissions, and wherein each of the one or more permissions identifies a particular 
operation and context on which the operation is to be performed. 

c. Referring to claim '13: 

Please replace claim 13 as follows: 

One or more computer-readable media as recited in claim 12, 
wherein the high-level permission concepts include a type of operation to be performed 
and a context, wherein the context allows identification of what the type of operation to 
be performed is to be performed on. 

d. Referring to claim 19: 

Please replace claim 19 as follows: 
A method comprising: 

providing high-level permission concepts, including context and 
operation, for security rules; 

allowing a set of security rules to be defined using the high-level 
permission concepts, wherein the set of security rules allows permissions to be 
assigned to users of an application, in which the set of security rules includes a plurality 
of permission assignment objects, in which each of the permission assignment objects 
associates a user with a particular role,, in which each particular role is associated with 
one or more permissions, and in which each of the one or more permissions identifies a 
particular operation and context on which the operation is to be performed; and 
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determining, based at least in part on a permission assigned to a 
user, whether to permit an operation based on a request by the user, 

wherein the determining further comprises determining whether to 
permit the operation requested by the user based at least in part on accessing a 
business logic module to identify one or more additional tests to perform to determine if 
the operation is permitted, and further comprising performing the one or more additional 
tests, wherein the business logic module contains problem-solving logic that produces 
solutions for a particular problem domain, and wherein the business logic module 
employs interaction-based definitions in which a component which performs the 
operation is defined by a series of request-response interaction definitions that can be 
satisfied to perform the operation. 

e. Referring to claim 22: 

Please replace claim 22 as follows: 

A method as recited in claim 19, wherein the high-level permission 
concepts include an operation and a context, wherein the operation allows identification 
of a type of operation to be performed and the context allows identification of what the 
operation is to be performed on. 

f. Referring to claim 26: 

Please replace claim 26 as follows: 
A method comprising: 

receiving a request to perform an operation associated with 
business logic module, wherein the business logic module contains problem-solving 
logic that produces solutions for a particular problem domain, and wherein the business 
logic module employs interaction-based definitions in which a component which 
performs the operation is defined by a series of request-response interaction definitions 
that can be satisfied to perform the operation; 

accessing a set of low-level rules, wherein the low-level rules, 
including at least one of modifying, deleting, viewing, approving, or creating, are defined 
in terms of high-level concepts, the low-level rules further include a plurality of 
permission assignment objects, wherein each of the permission assignment objects 
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associates a user with a particular role, wherein each particular role is associated with 
one or more permissions, and wherein each of the one or more permissions identifies a 
particular operation and context on which the operation is to be performed; 

checking whether a user requesting to perform the operation is 
entitled to perform the operation based at least in part on the set of low-level rules; and 

returning an indication of whether the operation is allowed or not 

allowed, 

wherein the set of low-level rules can be replaced with another set 
of low- level rules without altering the business logic module. 

g. Referring to claim 35: 

Please replace claim 35 as follows: 
An architecture comprising: 

a plurality of resources including a processor to process requests; 

a business logic layer to process, based at least in part on the 
plurality of resources, requests received from a client, wherein the business logic layer 
contains problem-solving logic that produces solutions for a particular problem domain, 
and wherein the business logic layer employs interaction-based definitions in which a 
component which performs an operation corresponding to an individual request is 
defined by a series of request-response interaction definitions that can be satisfied to 
perform the operation; and 

a pluggable security policy enforcement module, separate from the 
business logic layer, to enforce security restrictions on accessing information stored at 
the plurality of resources based on the operation corresponding to the individual 
request, 

wherein the pluggable security policy enforcement module defines 
high-level permission concepts for security rules and further defines a set of security 
rules using the high-level permission concepts which include context and operation. 

h. Referring to claim 37: 

Please replace claim 37 as follows: 
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An architecture as recited in claim 35, wherein the operation allows 
identification of a type of operation to be performed and the context allows identification 
of what the type of operation is to be performed on. 
i. Referring to claim 39: 

Please replace claim 39 as follows: 

An architecture as recited in claim 35, wherein the pluggable 
security policy enforcement module is configured to determine, based at least in part on 
a permission assigned to a user and on one or more additional tests identified by 
accessing the business logic layer, whether to permit a type of operation to access 
information at the plurality of resources. 

j. Referring to claim 46: 

Please replace claim 46 as follows: 

A method as recited in claim 19, wherein the type of operation is 
selected from the group consisting of creation, deletion, viewing, approval, and 
modification. 

k. Referring to claim 18: 

Please replace claim 18 as follows: 

One or more computer-readable media as recited in claim 8, 
wherein each of the permission assignment objects further identifies whether the one or 
more permissions in the particular role are granted to the user or denied to the user. 
I. Referring to claim 25: 

Please replace claim 25 as follows: 

A method as recited in claim 19, wherein each of the permission 
assignment objects further identifies whether the one or more permissions in the 
particular role are granted to the user or denied to the user, 
m. Referring to claim 47: 

Please add claim 47 as follows: 

A method as recited in claim 22, wherein the type of operation is 
selected from the group consisting of creation, deletion, viewing, approval, and 
modification. 
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n. Referring to claim 48: 

Please add claim 48 as follows: 

One or more computer-readable media as recited in claim 13, 
wherein the type of operation is selected from the group consisting of creation, deletion, 
viewing, approval, and modification. 

o. Referring to claim 49: 

Please add claim 49 as follows: 

An architecture as recited in claim 37, wherein the type of operation 
is selected from the group consisting of creation, deletion, viewing, approval, and 
modification. 

Information Disclosure Statement 

3. The information disclosure statement (IDS) filed on August 30, 2007 is in 
compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure 
statement is being considered by the examiner. 

Allowable Subject Matter 

4. Claims 8-16, 18-19, 21-23, 25-27, 29, 35, 37-39, and 45-49 are allowed. 
The following is an examiner's statement of reasons for allowance: see 

attached Interview Summary. 

Any comments considered necessary by applicant must be submitted no 
later than the payment of the issue fee and, to avoid processing delays, should 
preferably accompany the issue fee. Such submissions should be clearly labeled 
"Comments on Statement of Reasons for Allowance." 

Conclusion 

4. Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Thanhnga (Tanya) Truong whose telephone number 
is 571-272-3858. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached at 571-272-3859. The fax and phone 
numbers for the organization where this application or proceeding is assigned is 571- 
273-8300 
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Any inquiry of a general nature or relating to the status of this application 
or proceeding should be directed to the receptionist whose telephone number is 571- 
272-2100. 

tbt pr.W^ ^M^WT 

September 28, 2007 



